Date: Mon, 26 Apr 2004 09:18:05 +0200 (MET DST) From: Mipam <mipam@ibb.net> To: Peter Pentchev <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: use keep state(strict) to mitigate tcp issues? Message-ID: <Pine.LNX.4.33.0404260910090.13131-100000@ux1.ibb.net> In-Reply-To: <20040423144422.GD961@straylight.m.ringlet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Apr 2004, Peter Pentchev wrote: > On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote: > > Hi, > > > > When deploying a BSD with IPF in at the network perimeter > > and using rules like these: > > > > pass in .. proto tcp ... keep state(strict) > > > > it's possible to refuse tcp packets which arrive out of order. > > This would increase the difficulty doing blind attack resets and blind > > data injection attack, cause then you'd have to "guess" the exact expected > > number. Checpoint has a similar feature (is that right?) which is > > described here as the answer to the mentioned attacks: > > > > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html > > > > Allthough this is nice, there is also the risk of breaking > > connection because it's not unlikely that packets arrive out of order. > > At least, that's what i think, any thoughts upon this? > > IMHO, in the world of multihomed ISP's, BGP and multipath routing, no, > it is definitely *not* unlikely that packets should arrive out of order. I have no statistics and didnt check it out more closely, but in practise, let's say just daily life, in how many connecties would packets be arriving out of order? Of course, if strict is being used, and out of order packets would be denied, tcp on the other site would resent all the packets within the window size (or any packets or packet stream upon which no ack has been received), but if they would be arriving out of order again, or at least one of them, no progress has been made. Don't take me wrong here, i think keep state(strict) is a cool feature, but i just wonder in how many cases in bussy networks it would cause a certain amount of traffic lose (eventhough tcp should be able to remedy this and send the same packets several times, but it has no control about fast changing path's to it's destination) and how large would that certain amount be? Maybe i'm a little bit to paranoia in thinking to many connecties are dealing with out of order arriving packets? Bye, Mipam.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0404260910090.13131-100000>